Dear Accountant Officer,
Hereby you are notified that your Income Tax Return Appeal id#0184348 has been REJECTED. If you believe the IRS did not properly assess your case due to a misinterpretation of the case details, be prepared to provide additional information. You can obtain the rejection report and re-submit your appeal under the following link Online Tax Appeal.

The malicious payload is on pollypeach.com/search.php?page=73a07bcb51f4be71 and pollypeach.com/content/ap2.php?f=e4649 (see the report here), hosted on 69.163.45.128 (Directspace, US). Blocking the IP rather than the domain will stop any further infections from that server.

The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.

The list of IPs gets a little shorter every time, but there are still some familiar hosts here:

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud accusations

Valued AICPA member,

We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)

The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.

Friday, 24 February 2012

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of Accountant status due to income tax fraud accusations

Dear AICPA member,

We have received a complaint about your alleged participation in income tax fraudulent activity on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be terminated in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 7 days. The failure to respond within this term will result in withdrawal of your CPA license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of Public Account Status due to tax return fraud accusations

Dear accountant officer,

We have been informed of your alleged involvement in income tax fraudulent activity for one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant status can be revoked in case of the aiding of presenting of a incorrect or fraudulent tax return on the member's or a client's behalf.

Please be notified below and provide your feedback to it within 7 days. The failure to do so within this period will result in suspension of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The links go through a legitimate hacked site to some obfuscated javascipt leading to a malicious payload on synetworks.net/main.php?page=2d057d472cd217e2 and synetworks.net/content/ap2.php?f=3dc5c (report here) hosted on 76.12.101.172 (HostMySite, US). That IP is also home to housespect.net which also appears to be malicious. Blocking the IP should prevent any other malicious sites on the same server from being a problem.

The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Valued accountant officer,

We have received a complaint about your alleged participation in income tax infringement for one of your employers. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the event of presenting of a incorrect or fraudulent tax return for your client or employer.

Please be notified below and respond to it within 21 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.

I hadn't heard anything from these scummy SMS spammers recently, I assumed they had been busted in one of the recent crackdowns.

Urgent - You may be entitled to up to £3000 from mis-sold PPI on loans or credit cards. For a free no obligation check reply PPI or STOP to opt out

The sending number was +447866079549, although these spammers change their number more often than their underwear.

If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

We have detected operations with large amounts on your card which fact had not previously been observed. Please, familiarize yourself with the copies and contact us in case these transfers of amounts were not made by you.
operations screenshot.jpg 103kb

With best regards
Keitha Hanks
MD5 check sum: xxxxxxxxxxxxxxxxxxxxx

The link in the spam goes to a legitimate hacked site and then cpojkjfhotzpod.ru:8080/images/aublbzdni.php as seen in this spam run. Blocking the list of IPs mentioned in that post is probably prudent.

In the attached file I am forwarding you the Translation of the Purchase Contract

that I have just received a minute ago. I am really sorry for the delay.

Best regards,

Drake Milton, secretary

==========

The malicous payload is on cpojkjfhotzpod.ru:8080/images/aublbzdni.php which is multihomed on several IP addresses, most of which we have seen before (and many of which are with Slicehost). A plain list is at the end for copy-and-pasting.

The link in the email goes to a legitimate hacked site and then via some obfuscated javascript to energirans.net/main.php?page=598991e7306ac07e where it attempts to infect the machine with the Blackhole Exploit kit.

energirans.net is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India) which are the same IPs as found in this spam run. Blocking them is probably a very good idea.

Following on from yesterday's AICPA spam run, a new domain is in use for the malicious payload, favoriteburger.net/search.php?page=73a07bcb51f4be71 on 209.59.212.14 (Endurance International Group again). The IP is worth blocking, and you may want to consider blocking larger ranges of this ISP who seem to have a problem with this type of malicious site.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Cancellation of CPA license due to tax return fraud allegations

Valued accountant officer,

We have received a notice of your possible assistance in income tax refund fraudulent activity for one of your employers. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the fact of filing of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 14 days. The failure to do so within this term will result in termination of your Accountant status.

We have received a complaint about your possible involvement in income tax return fraud for one of your clients. According to AICPA Bylaw Paragraph 500 your Certified Public Accountant status can be terminated in case of the aiding of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please be informed of the complaint below and respond to it within 14 days. The failure to provide the clarifications within this period will result in termination of your Accountant status.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Valued AICPA member,

We have been notified of your alleged involvement in tax return fraud for one of your employees. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the fact of submitting of a false or fraudulent income tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 21 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud allegations

Dear AICPA member,

We have received a complaint about your recent assistance in income tax refund fraudulent activity on behalf of one of your employees. According to AICPA Bylaw Paragraph 765 your Certified Public Accountant license can be withdrawn in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and provide your feedback to it within 7 days. The failure to provide the clarifications within this term will result in suspension of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The link leads through a legitimate hacked site to thai4me.com/main.php?page=7d486a09d440e84a which attempts to download a Java exploit. The domain thai4me.com is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India). Those IPs also contain other malicious sites, blocking them is probably a good move.

Saturday, 18 February 2012

The Good Care Guide (goodcareguide.co.uk) looks like an admirable thing at first glance - an independent way for user of care services for the elderly and infants to review the quality of care both good and bad. This is particularly useful with care for the elderly where there often isn't much information, and the site has generated a lot of press comment (for example, the BBC, Sky News and the Press Association).

So... is this an entirely altruistic service? Not really. The Good Care Guide is provided in part by My Family Care Ltd which specialises in providing emergency, out-of-hours and holiday homecare for children and the elderly (e.g. emergencychildcare.co.uk, outofschoolcare.co.uk, emergencyhomecare.co.uk and myfamilycare.co.uk). Not that there appears to be anything wrong with these services, in fact they look to be pretty good and fill an important market niche.

When you sign up to write a review for the Good Care Guide, you have to give pretty much ALL your personal information including home address and telephone number. OK, that's fair enough if you want to make sure that the reviews are genuine..

The catch comes with the privacy policy which to be fair spells out what they are going to do with your personal information very clearly.

With whom we share your information

GCG may share your information with the following entities:

Third-party vendors who provide services or functions on our behalf. Third-party vendors have access to and may collect information only as needed to perform their functions and are not permitted to share or use the information for any other purpose.

Business partners with whom we may offer products or services in conjunction. You can tell when a third party is involved in a product or service you have requested because their name will appear either with ours or separately.

Affiliated Web sites. If you were referred to GCG from another Web site, we may share your registration information, such as your name, email address, mailing address and telephone number about you with that referring Web site. We have not placed limitations on the referring Web sites' use of personal information and we encourage you to review the privacy policies of any Web site that referred you to GCG.

Companies within our corporate family. We may share your personal information within the My Family Care Group. This sharing enables us to provide you with information about care services which might interest you.

So basically.. they will share your information with other parts of their own company, any referring website and indeed any third party business partner that they seem fit. OK, everybody needs to run a business but there is no opt out clause. If you want to write a review, then you are agreeing to receive marketing communication by email, post and even telephone regarding care services, essentially without limitation.

The Good Care Guide are not doing anything illegal. But childcare is expensive, and care for the elderly is very expensive. There is a lot of money to be made out of this type of care, and it looks like the operators of the Good Care Guide want a share of this market through their own paid-for services.

Until the Good Care Guide give an opt-out for marketing communications, then I cannot recommend this service as it looks suspiciously like a lead generator rather than a public service.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your alleged participation in tax return fraudulent activity� on behalf of one of your employees. According to AICPA Bylaw Section 700 your Certified Public Accountant license can be cancelled in case of� the occurrence of filing of a misguided or fraudulent income tax return on the member's or a client's behalf.�

Please familiarize yourself with the notification below and respond to it within 7 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Although it claims to be from "The American Institute of Certified Public Accountants" (aicpa.org), the "from" address claims to be the BBB.

Click on the "complaint.pdf" link and you are redirected to biggestsetter.com/search.php?page=73a07bcb51f4be71 which attempts to download the Blackhole Exploit Kit. biggestsetter.com is hosted on 199.30.89.187 (Zerigo / Central Host Inc). This netblock has been used several times in the past few days so my advice is to block access to 199.30.89.0/24.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Dear AICPA member,

We have been notified of your recent assistance in income tax refund fraud on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the occurrence of submitting of a misguided or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the complaint below and respond to it within 7 days. The failure to respond within this term will result in cancellation of your Accountant license.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud allegations

Dear accountant officer,

We have been notified of your possible participation in income tax return fraudulent activity for one of your clients. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be cancelled in case of the act of submitting of a misguided or fraudulent income tax return for your client or employer.

Please find the complaint below below and respond to it within 14 days. The failure to provide the clarifications within this period will result in withdrawal of your Accountant status.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your possible assistance in tax return fraudulent activity on behalf of one of your employers. According to AICPA Bylaw Section 500 your Certified Public Accountant license can be withdrawn in case of the fact of submitting of a incorrect or fraudulent tax return for your client or employer.

Please find the complaint below below and respond to it within 21 days. The failure to respond within this period will result in withdrawal of your CPA license.

freac.net is a domain used by malicious spam email pretending to be from the BBB or NACHA, as in this example. In that case, freac.net was apparently hosted on an IP belonging to Huawei in the US, but shortly afterwards it went non-resolving.

The attachment attempts to download malicious code from cserimankra.ru:8080/images/aublbzdni.php which is multihomed (report here) and then attempts to download more malcode from samaragotodokns.ru:8080/images/jw.php?i=8

These .ru sites are hosted on a familiar set of IP addresses, very similar to the ones found here.

I've never seen a legitimate site hosted by inferno.name, and I recommend that you block their IP ranges.. I ideidentified the following list last August, I haven't had the change to go back and check it again.

The malware is on biggestblazer.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 199.30.89.180 (Central Host Inc / Zerigo.. yet again). It attempts to download additional components from billydimple.com/forum/index.php?showtopic=656974 on 69.164.205.122 (Linode.. again).

I've now seen several malicious sites in the 199.30.89.0/24 range, it might be worth considering blocking the whole lot.

Wednesday, 15 February 2012

I've been tracking NAPPPA (aka North American Program Planning and Policy Academy or NA3PA) for a few months now. One question eluded me - who is actually running this series of so-called seminars that have generated so many complaints and has scored a miserable F rating at the BBB?

There are two key bits of evidence here:

Firstly, we keep seeing an IP address of 173.55.115.38 which is responsible for sending out the emails. We know that this is in Hacienda Heights, California.and it belongs to a Verizon customer.

A second key bit of evidence is the phone number used in the original spam run earlier this year, (800) 649-6522. A Google Search shows that this number was in use last year for an outfit called "The Grant Writing Workshop" (sound familiar?) with a domain of grantwritingworkshops.info.

As it happens, the domain grantwritingworkshops.info has been deleted. But oddly enough, not because the domain expired (it was registered until April 2012), but because someone deliberately chose to delete the domain in May 2011. Perhaps it is not a coincidence that complaints about NAPPPA started to mount at about the same time.

Using a historical WHOIS service, we can see who the domain was registered to before it was deleted:

There are several interesting matches for this name. One confirms a connection with NAPPA and names another individual, Anthony Christopher Jones, who has cowritten a book with this person called STRATCOMM101: Strategic Communication for Policy and Program Planning. (Sound familiar?) Just in case the book gets deleted from Lulu.com, here is a screendump:

Exactly what relationship Anthony Christopher Jones has with NAPPPA will become clear, but in the meantime here is his Yahoo! contributor profile. This says: Anthony Christopher Jones is a native of Compton, California who has lived in the metropolitan Los Angeles area his entire adult life. A quintessential Angeleno, Anthony is a passionate Lakers fan and enjoys all of the perks that comes with living in a huge, diverse, and contemporary city. He is a writer, college lecturer, and entrepreneur. His full-time business and passion involves real estate development and investment projects in Southern California. He also teaches program planning, proposal development, and strategic communication workshops and seminars throughout the United States and is co-author of "STRATCOMM 101: Strategic Communication for Policy and Program Planning".

We'll find out more about Anthony Jones later.

There is more gold can be found digging into the name Patchree Patchrint though. This article from the Nonprofit Times names this person directly in relation to another grant company in 2008, along with Anthony Christopher Jones. Here is an excerpt:

More than 40 complaints have been made to various Better Business Bureau (BBB) affiliates against The Grant Institute, with some instructors alleging the organization hasn't paid them and participants still waiting for refunds for courses that were canceled.

The Grant Institute, a Los Angeles-based entity of the Institute for Communication Improvement (ICI), hosts workshops across the country to teach nonprofits and medical researchers grant writing skills. Some instructors and attendees are upset with their experiences and are questioning the company's business and financial practices.

Sound familiar? You can see the BBB report for that operation here.. it scores F too.

The North Dakota AG's office warned about The Grant Institute as well. In fact, there are masses of complaints about The Grant Institute, here are some of them:

"DOSS Development Group LLC" is registered as a foreign entity (from Nevada) in California (search for number 200815610040). The agent is.. Patchree Patchint.

Entity Name:

DOSS DEVELOPMENT GROUP, LLC

Entity Number:

200815610040

Date Filed:

05/21/2008

Status:

ACTIVE

Jurisdiction:

NEVADA

Entity Address:

655 SOUTH FLOWER STREET #367

Entity City, State, Zip:

LOS ANGELES CA 90017

Agent for Service of Process:

PATCHREE PATCHRINT

Agent Address:

1059 SOUTH BROAD BLVD

Agent City, State, Zip:

LOS ANGELES CA 90015

We can search for DOSS Development Group in Nevada too, which confirms the name "Anthony Jones" and lists the contact address as a UPS store.

So, in brief, we started with an IP address and phone number. The IP address led us to Hacienda Heights, California. The phone number led us to another web site registered to Patchree Patchrint, also of Hacienda Heights. Patchree Patrchrint led us to Anthony Christopher Jones, and that led us to The Grant Institute dating back to 2005, which carries a BBB F rating and has been warned about by a state attorney general.

So who is behind NAPPPA? The evidence shows that Patchree Patchrint and Anthony Jones are behind this, and have been running the same scheme since at least 2005.

After the last annual computations of your financial activity we have determined that you are eligible to get a tax refund of $802.

Please submit the tax refund request and allow us 3-9 days in order to process it.

The delay of a refund can be caused by a variety of reasons.

E.g., sending incorrect records or not meeting a deadline.

To learn the details of your tax refund please open this link.

Best regards,
Tax Refund Department
Internal Revenue Service

The malware starts at synergyledlighting.net/main.php?page=6d63cba62f5eb9a0 and then downloads various components (report here). Today synergyledlighting.net is on 178.211.40.29 (Sayfa Net, Turkey). This is one where blocking both the IP and domain is probably a good idea.

I've never heard of RnBXclusive (rnbxclusive.com), but it is a site to do with Urban Music which isn't really my cup of tea. However, visitors to the site today get a message from SOCA saying:

SOCA has taken control of this domain name.
The individuals behind this website have been arrested for fraud.

The majority of music files that were available via this site were stolen from the artists.
If you have downloaded music using this website you may have committed a criminal offence which carries a maximum penalty of up to 10 years imprisonment and an unlimited fine under UK law.

SOCA has the capability to monitor and investigate you, and can inform your internet service provider of these infringements.

You may be liable for prosecution and the fact that you have received this message does not preclude you from prosecution.

As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.

Visit pro-music.org for a list of legal music sites on the web.

One annoyance is that SOCA display the IP address of the visitor and basically accuse the visitor of being a criminal. But, more seriously, SOCA's message indicates that the site operator was guilty of illegal activities without a trial. Remember courts? Judges? That sort of thing? Any good lawyer could probably argue that SOCA's statement is prejudicial.

Also of interest, the .com name is registered through GoDaddy in the US, the site is hosted on 83.138.166.114 which appears to be in a Rackspace facility in the UK. It looks like SOCA might have gained control of the server rather than the domain name which shows no WHOIS changes.

I can't believe that there is a person in the world receiving this who will not have received hundreds of versions of the same thing before, but the spammers continue. The malicious payload is at biggestloop.com/main.php?page=27f6207e33edeeca (analysis here) on 206.214.68.57 (B2Net Solutions, Canada). Block the IP if you can. Better still, write some filters for your email system to keep the things far, far away.

F-Secure Mobile Security is not a bad product - it includes anti-theft software, a virus scanner and a supposedly secure browser. In the UK, F-Secure charge £29.95 a year for this, which is pricey for an Android application, but usually F-Secure products are very good. You can get a month's free trial before you buy.

It has some strengths and weaknesses. But I won't upgrading to the paid version. Why not? Well, every day the same nag message comes up:

F-Secure would like to have your phone number for the purposes of possible product information and marketing related messaging. The cost of approval is that of one-stime standard SMS to Finland. Do you agree?

There are two buttons.. Yes and No. Click "No" and the message seems to go away.. until the next day. And the day after that. And the day after that. You get the picture. Either this is a bug or it is a very aggressive attempt to get you to agree to SMS marketing. Either way it's a big turnoff and I'll be looking for another product to protect my Android..

The malware is on freac.net/main.php?page=cd12dfacc57c3f82 (report here) which is on IP address 12.133.182.133 (Huawei Technologies, US). Blocking access to the IP address will prevent any other malicious sites on the server from being a problem.

Attached the intercompany inv. for the period Dec. 2011 til Jan.. 2012.

Thanks a lot for supporting this process

DELL AVILES

Arch Coal Corp.

The obfuscated javascript in the attachment attempts to download malicious code from coajsfooioas.ru:8080/images/aublbzdni.php followed by more code from tuberkulesneporok.ru:8080/images/jw.php?i=8 (Wepawet report here).

These domains are multihosted on the same IPs as listed here. Blocking access to those IPs should stop further malware attacks from being successful.

The malware is at cooldcloud.com/search.php?page=73a07bcb51f4be71 hosted on 74.91.117.227 (Nuclear Fallout Enterprises... again). Blocking the IP is best as that will protect against other malware, although you may want to block more widely given the problems with this host.

The payload is a Blackhole exploit kit at beaverday.biz/search.php?page=977334ca118fcb8c (Wepawet report here) which is hosted on 199.30.89.139 (Central Host Inc / Zerigo.net), just a few IPs away from 199.30.89.135 as used in this spam run a few days ago. I have also seen malicious activity on 199.30.91.44 in the same /21.. perhaps Zerigo / Central Host have a problem? Block IPs as you feel is appropriate..